An Introduction to Bisimulation and Coinduction Davide Sangiorgi - PowerPoint PPT Presentation

Examples of trace-equivalent processes: d b = a b d a c e a e c a b = a a b These equalities are OK on automata. ... but they are not on processes ( deadlock risk!) page 26

For instance, you would not consider these two vending machines ‘the same’: tea collect − tea 1 c collect − tea 1 c tea collect − coffee coffee 1 c coffee collect − coffee Trace equivalence (also called language equivalence) is still important in concurrency. Examples: confluent processes; liveness properties such as termination page 27

These examples suggest that the notion of equivalence we seek: – should imply a tighter correspondence between transitions than language equivalence, – should be based on the informations that the transitions convey, and not on the shape of the diagrams. Intuitively, what does it mean for an observer that two machines are equivalent? If you do something with one machine, you must be able to the same with the other, and on the two states which the machines evolve to the same is again true. This is the idea of equivalence that we are going to formalise; it is called bisimilarity . page 28

Bisimulation and bisimilarity We define bisimulation on a single LTS, because: the union of two LTSs is an LTS; we will often want to compare derivatives of the same process. Definition A relation R on processes is a bisimulation if whenever P R Q : µ µ → Q ′ and P ′ R Q ′ ; 1. ∀ µ, P ′ s.t. P → P ′ , then ∃ Q ′ such that Q − − µ µ → P ′ and P ′ R Q ′ . 2. ∀ µ, Q ′ s.t. Q → Q ′ , then ∃ P ′ such that P − − P and Q are bisimilar , written P ∼ Q , if P R Q , for some bisimulation R . R The bisimulation diagram: P Q µ ↓ µ ↓ P ′ Q ′ R page 29

Examples Show P 1 ∼ Q 1 (easy, processes are deterministic): a b a P 1 P 2 Q 1 Q 2 Q 3 b a page 30

Examples Show P 1 ∼ Q 1 (easy, processes are deterministic): a b a P 1 P 2 Q 1 Q 2 Q 3 b a First attempt for a bisimulation: R = { ( P 1 , Q 1 ) , ( P 2 , Q 2 ) } Bisimulation diagrams for ( P 1 , Q 1 ) : R R P 1 Q 1 P 1 Q 1 a ↓ a ↓ a ↓ a ↓ P 2 Q 2 P 2 Q 2 page 31

Examples Show P 1 ∼ Q 1 (easy, processes are deterministic): a b a P 1 P 2 Q 1 Q 2 Q 3 b a First attempt for a bisimulation: R = { ( P 1 , Q 1 ) , ( P 2 , Q 2 ) } Bisimulation diagrams for ( P 1 , Q 1 ) : R R P 1 Q 1 P 1 Q 1 a ↓ a ↓ a ↓ a ↓ P 2 R Q 2 P 2 R Q 2 page 32

Examples Show P 1 ∼ Q 1 (easy, processes are deterministic): a b a P 1 P 2 Q 1 Q 2 Q 3 b a First attempt for a bisimulation: R = { ( P 1 , Q 1 ) , ( P 2 , Q 2 ) } Bisimulation diagrams for ( P 2 , Q 2 ) : R R P 2 Q 2 P 2 Q 2 b ↓ b ↓ b ↓ b ↓ � � P 1 R Q 3 P 1 R Q 3 page 33

Examples Show P 1 ∼ Q 1 (easy, processes are deterministic): a b a P 1 P 2 Q 1 Q 2 Q 3 b a First attempt for a bisimulation: R = { ( P 1 , Q 1 ) , ( P 2 , Q 2 ) } Bisimulation diagrams for ( P 2 , Q 2 ) : R R P 2 Q 2 P 2 Q 2 b ↓ b ↓ b ↓ b ↓ � � P 1 R Q 3 P 1 R Q 3 page 34

Examples Show P 1 ∼ Q 1 (easy, processes are deterministic): a b a P 1 P 2 Q 1 Q 2 Q 3 b a A bisimulation: R = { ( P 1 , Q 1 ) , ( P 2 , Q 2 ) , ( P 1 , Q 3 ) } All diagrams are ok page 35

b Suppose we add a b -transition to Q 2 − → Q 1 : a b a P 1 P 2 Q 1 Q 2 Q 3 b b a In the original R = { ( P 1 , Q 1 ) , ( P 2 , Q 2 ) } now the diagrams for ( P 2 , Q 2 ) look ok: P 2 R Q 2 P 2 R Q 2 b ↓ b ↓ b ↓ b ↓ P 1 R Q 1 P 1 R Q 1 R is still not a bisimulation: why? page 36

Now we want to prove Q 1 ∼ R 1 (all processes but R 4 are deterministic): b a Q 1 Q 2 Q 3 a a a b R 1 R 2 R 3 b R 4 b Our initial guess: { ( Q 1 , R 1 ) , ( Q 2 , R 2 ) , ( Q 3 , R 3 ) , ( Q 2 , R 4 ) } The diagram checks for the first 3 pairs are easy. On ( Q 2 , R 4 ) : Q 2 R R 4 Q 2 R R 4 b ↓ b ↓ b ↓ b ↓ R R Q 3 R 3 Q 3 R 3 b − → R 1 One diagram check is missing. Which one? R 4 page 37

Now we want to prove Q 1 ∼ R 1 (all processes but R 4 are deterministic): b a Q 1 Q 2 Q 3 a a a b R 1 R 2 R 3 b R 4 b Our initial guess: { ( Q 1 , R 1 ) , ( Q 2 , R 2 ) , ( Q 3 , R 3 ) , ( Q 2 , R 4 ) } The diagram checks for the first 3 pairs are easy. On ( Q 2 , R 4 ) : R R Q 2 R 4 Q 2 R 4 b ↓ b ↓ b ↓ b ↓ Q 3 R R 3 Q 3 R R 3 b The diagram for R 4 − → R 1 is missing. Add ( Q 3 , R 1 ) page 38

We want to prove M 1 ∼ N 1 : M 1 N 1 a a a b b b M 2 N 2 N 3 b b a a a b M 3 N 4 N 5 page 39

A graphical representation of a bisimulation: M 1 N 1 a a a b b b M 2 N 2 N 3 b b a a a b M 3 N 4 N 5 { ( M 1 , N 1 ) , ( M 2 , N 2 ) , ( M 2 , N 3 ) , ( M 3 , N 4 ) , ( M 3 , N 5 ) } page 40

Find an LTS with only two states, and in a bisimulation relation with the states of following LTS: a b R 1 b b c R 2 R 3 c page 41

Take a a R ′ b R 1 1 b b b b c R 2 R 3 R c c A bisimulation is { ( R 1 , R ′ 1 ) , ( R 2 , R ) , ( R 3 , R ) } . page 42

Examples: nondeterminism Are the following processes bisimilar? Q P • • a a a • • • b c c b • • • • R • a a a • • • b c c b • • • • page 43

Q P • • a a • • b b b • • • c d c d • • • • R • a a • • b b • • c d • • page 44

Basic properties of bisimilarity Theorem ∼ is an equivalence relation, i.e. the following hold: 1. P ∼ P (reflexivity) 2. P ∼ Q implies Q ∼ P (symmetry) 3. P ∼ Q and Q ∼ R imply P ∼ R (transitivity); Corollary ∼ itself is a bisimulation. Exercise Prove the corollary. You have to show that ∪{R | R is a bisimulation } is a bisimulation. page 45

The previous corollary suggests an alternative definition of ∼ : Corollary ∼ is the largest relation on processes such that P ∼ Q implies: µ µ → Q ′ and P ′ ∼ Q ′ ; 1. ∀ µ, P ′ s.t. P → P ′ , then ∃ Q ′ such that Q − − 2. ∀ µ, Q ′ s.t. Q µ → Q ′ , then ∃ P ′ such that P µ → P ′ and P ′ ∼ Q ′ . − − page 46

Proof of transitivity Hp: P ∼ Q and Q ∼ R . Th: P ∼ R . For P ∼ R , we need a bisimulation R with P R R . Since P ∼ Q and Q ∼ R , there are bisimulations R 1 and R 2 with P R 1 Q and Q R 2 R . Set R = { ( P, R ) | there is Q with P R 1 Q and Q R 2 R } Claim: R is a bisimulation. a → P ′ : Take ( P, R ) ∈ R , because ∃ Q with P R 1 Q and Q R 2 R , with P − R 1 R 2 P Q R µ ↓ µ ↓ µ ↓ P ′ Q ′ R ′ R 1 R 2 page 47

Proof of symmetry First, show that inverse of a bisimulation R is again a bisimulation: R − 1 = { ( P, Q ) | Q R P } Now conclude: If P ∼ Q , there is a bisimulation R with P R Q . We also have Q R − 1 P and R − 1 is a bisimulation. Hence Q ∼ P . page 48

An enhancement of the bisimulation proof method We write P ∼R∼ Q if there are P ′ , Q ′ s.t. P ∼ P ′ , P ′ R Q ′ , and Q ′ ∼ Q (and alike for similar notations). Definition A relation R on processes is a bisimulation up-to ∼ if P R Q implies: µ µ → Q ′ and P ′ ∼R∼ Q ′ . → P ′ , then there is Q ′ such that Q 1. if P − − µ → Q ′ , then there is P ′ such that P µ → P ′ and P ′ ∼R∼ Q ′ . − − 2. if Q Exercise If R is a bisimulation up-to ∼ then R ⊆∼ . (Hint: prove that ∼ R ∼ is a bisimulation.) page 49

Simulation Definition A relation R on processes is a simulation if P R Q implies: µ → P ′ , then there is Q ′ such that Q µ → Q ′ and P ′ R Q ′ . − − 1. if P P is simulated by Q , written P < Q , if P R Q , for some simulation R . Exercise Does P ∼ Q imply P < Q and Q < P ? What about the converse? (Hint for the second point: think about the 2nd equality at page 26.) page 50

Exercize: quantifiers Suppose the existential quantifiers in the definition of bisimulation were replaced by universal quantifiers. For instance, clause (1) would become: – for all P ′ with P µ → P ′ , and for all Q ′ such that Q µ → Q ′ , we have − − P ′ R Q ′ ; and similarly for clause (2). Would these two (identical!) processes be bisimilar? What do you think bisimilarity would become? Q P • • a a a a • • • • c c b b • • • • page 51

Other equivalences: examples We have seen: trace equivalence has deadlock problems, e.g., • • = a a a • • • b c c b • • • • Besides bisimilarity, many other solutions have been suggested, usually inductive. Ex: using decorated traces , i.e., pairs a 1 . . . a n ; S of a sequence of actions and a set of action P has a 1 . . . a n ; S if: a 1 ∃ R ′ st P a n → R ′ and then R ′ b − → . . . − − → ⇔ b ∈ S The mathematical robustness of bisimilarity and the bisimulation proof method are however major advantages (i.e., on finite-state processes: bisimilarity is P-space complete, inductive equivalences are PSPACE-complete) page 52

We have seen: – the problem of equality between processes – representing behaviours: LTSs – graph theory, automata theory – bisimilarity – the bisimulation proof method – impredicativity (circularity) Bisimilarity and the bisimulation proof method: very different from the the usual, familiar inductive definitions and inductive proofs . They are examples of a coinductive definition and of a coinductive proof technique . page 53

Induction and coinduction – examples – duality – fixed-point theory page 54

Examples of induction and coinduction page 55

Mathematical induction To prove a property for all natural numbers: 1. Show that the property holds at 0 (basis) 2. Show that, whenever the property holds at n , it also holds at n + 1 (inductive part) In a variant, step (2) becomes: Show that, whenever the property holds at all natural less than or equal to n , then it also holds at n + 1 NB: other variants are possible, modifying for instance the basis page 56

Example of mathematical induction 1 + 2+. . . + n = n × ( n + 1) 2 Basis: 1 = 1 × 2 2 Inductive step: (assume true at n , prove statement for n + 1 ) 1 + 2+. . . + n + ( n + 1) = (inductive hypothesis) n × ( n + 1) + ( n + 1) = 2 n × ( n + 1) + 2 × ( n + 1) = 2 2 n × ( n + 1) + 2 × ( n + 1) = 2 ( n + 1) × ( n + 2) ( n + 1) × (( n + 1) + 1) = 2 2 page 57

Rule induction: finite traces (may termination) (assume only one label P 1 P 2 P 7 hence we drop it) P 5 P 3 P 4 P 6 A process stopped : it cannot do any transitions P has a finite trace , written P ⇂ , if P has a finite sequence of transitions that lead to a stopped process Examples: P 1 , P 2 , P 3 , P 5 , P 7 (how many finite traces for P 2 ?) (inductive definition of ⇂ ) P ⇂ if as rules: P ′ ⇂ → P ′ P stopped P − (1) P is stopped (2) ∃ P ′ with P − → P ′ and P ′ ⇂ P ⇂ P ⇂ page 58

What is a set inductively defined by a set of rules? ... later , using some (very simple) fixed-point and lattice theory Now: 3 equivalent readings of inductive sets derived from the definition of inductive sets (we will show this for one reading) page 59

Equivalent readings for ⇂ P ′ ⇂ → P ′ P − P stopped ( AX ) ( INF ) P ⇂ P ⇂ – The processes obtained with a finite proof from the rules page 60

Equivalent readings for ⇂ P ′ ⇂ → P ′ P − P stopped ( AX ) ( INF ) P ⇂ P ⇂ – The processes obtained with a finite proof from the rules Example P 7 stopped P 2 − → P 7 ( AX ) P 7 ⇂ P 1 − → P 2 ( INF ) P 2 ⇂ ( INF ) P 1 ⇂ P 1 P 2 P 7 P 5 P 3 P 4 P 6 page 61

Equivalent readings for ⇂ P ′ ⇂ → P ′ P − P stopped ( AX ) ( INF ) P ⇂ P ⇂ – The processes obtained with a finite proof from the rules Example (another proof for P 1 ; how many other proofs?) : P 7 stopped P 2 − → P 7 P 7 ⇂ P 1 − → P 2 P 2 ⇂ P 2 − → P 1 P 1 ⇂ P 1 − → P 2 P 2 ⇂ P 1 ⇂ P 1 P 2 P 7 P 5 P 3 P 4 P 6 page 62

Equivalent readings for ⇂ P ′ ⇂ → P ′ P − P stopped ( AX ) ( INF ) P ⇂ P ⇂ – The processes obtained with a finite proof from the rules – the smallest set of processes that is closed forward under the rules ; i.e., the smallest subset S of Pr (all processes) such that ∗ all stopped processes are in S ; → P ′ and P ′ ∈ S , then also P ∈ S . ∗ if there is P ′ with P − page 63

Equivalent readings for ⇂ P ′ ⇂ → P ′ P − P stopped ( AX ) ( INF ) P ⇂ P ⇂ – The processes obtained with a finite proof from the rules – the smallest set of processes that is closed forward under the rules ; i.e., the smallest subset S of Pr (all processes) such that ∗ all stopped processes are in S ; → P ′ and P ′ ∈ S , then also P ∈ S . ∗ if there is P ′ with P − Hence a proof technique for ⇂ (rule induction): given a property T on the processes (a subset of processes), to prove ⇂ ⊆ T (all processes in ⇂ have the property) show that T is closed forward under the rules. page 64

Example of rule induction for finite traces A partial function f , from processes to integers, that satisfies the following conditions: f ( P ) = 0 if P is stopped → P ′ for some P ′ min { f ( P ′ ) + 1 | P − f ( P ) = and f ( P ′ ) is defined } otherwise ( f can have any value, or even be undefined, if the set on which the min is taken is empty) We wish to prove f defined on processes with a finite trace (i.e., dom ( ⇂ ) ⊆ dom ( f ) ) We can show that dom ( f ) is closed forward under the rules defining ⇂ . Proof: 1. f ( P ) is defined whenever P is stopped; 2. if there is P ′ with P − → P ′ and f ( P ′ ) is defined, then also f ( P ) is defined. page 65

Equivalent readings for ⇂ P ′ ⇂ → P ′ P − P stopped ( AX ) ( INF ) P ⇂ P ⇂ – The processes obtained with a finite proof from the rules – the smallest set of processes that is closed forward under the rules ; i.e., the smallest subset S of Pr (all processes) such that ∗ all stopped processes are in S ; → P ′ and P ′ ∈ S , then also P ∈ S . ∗ if there is P ′ with P − – (iterative construction) Start from ∅ ; add all objects as in the axiom; repeat adding objects following the inference rule forwards page 66

Rule coinduction definition: ω -traces (non-termination) P 1 P 2 P 7 P 5 P 3 P 4 P 6 P has an ω -trace , written P ↾ , if it there is an infinite sequence of transitions starting from P . Examples: P 1 , P 2 , P 4 , P 6 Coinductive definition of ↾ : P ′ ↾ → P ′ P − P ↾ page 67

Equivalent readings for ⇂ P ′ ↾ → P ′ P − P ↾ – The processes obtained with an infinite proof from the rules page 68

Equivalent readings for ⇂ P ′ ↾ → P ′ P − P ↾ – The processes obtained with an infinite proof from the rules Example . . . P 1 − → P 2 P 2 ↾ P 2 − → P 1 P 1 ↾ P 1 − → P 2 P 2 ↾ P 1 ↾ P 1 P 2 P 7 P 5 P 3 P 4 P 6 page 69

Equivalent readings for ⇂ P ′ ↾ → P ′ P − P ↾ – The processes obtained with an infinite proof from the rules An invalid proof: ?? P 3 − → P 5 P 5 ↾ P 1 − → P 3 P 3 ↾ P 1 ↾ P 1 P 2 P 7 P 5 P 3 P 4 P 6 page 70

Equivalent readings for ⇂ P ′ ↾ → P ′ P − P ↾ – The processes obtained with an infinite proof from the rules – the largest set of processes that is closed backward under the rule ; i.e., the largest subset S of processes such that if P ∈ S then ∗ there is P ′ such that P − → P ′ and P ′ ∈ S . page 71

Equivalent readings for ⇂ P ′ ↾ → P ′ P − P ↾ – The processes obtained with an infinite proof from the rules – the largest set of processes that is closed backward under the rule ; i.e., the largest subset S of processes such that if P ∈ S then ∗ there is P ′ such that P − → P ′ and P ′ ∈ S . Hence a proof technique for ↾ (rule coinduction): to prove that each process in a set T has an ω -trace show that T is closed backward under the rule. page 72

Example of rule coinduction for ω -traces P 1 P 2 P 7 P ′ ↾ → P ′ P − P ↾ P 5 P 3 P 4 P 6 Suppose we want to prove P 1 ↾ Proof T = { P 1 , P 2 } is closed backward : P 1 − → P 2 P 2 ∈ T P 2 − → P 1 P 1 ∈ T P 1 ∈ T P 2 ∈ T Another choice: T = { P 1 , P 2 , P 4 , P 6 } (correct, but more work in the proof) Would T = { P 1 , P 2 , P 4 } or T = { P 1 , P 2 , P 3 } be correct? page 73

ω -traces in the bisimulation style A predicate S on processes is ω -closed if whenever P ∈ S : – there is P ′ ∈ S such that P − → P ′ . P has an ω -trace , written P ↾ , if P ∈ S , for some ω -closed predicate S . The proof technique is explicit Compare with the definition of bisimilarity: A relation R on processes is a bisimulation if whenever P R Q : µ µ → Q ′ and P ′ R Q ′ ; 1. ∀ µ, P ′ s.t. P → P ′ , then ∃ Q ′ such that Q − − µ µ → P ′ and P ′ R Q ′ . 2. ∀ µ, Q ′ s.t. Q → Q ′ , then ∃ P ′ such that P − − P and Q are bisimilar , written P ∼ Q , if P R Q , for some bisimulation R . page 74

Equivalent readings for ⇂ P ′ ↾ → P ′ P − P ↾ – The processes obtained with an infinite proof from the rules – the largest set of processes that is closed backward under the rule ; i.e., the largest subset S of processes such that if P ∈ S then ∗ there is P ′ ∈ S such that P − → P ′ . – (iterative construction) start with the set Pr of all processes; repeatedly remove a process P from the set if one of these applies (the backward closure fails): ∗ P has no transitions ∗ all transitions from P lead to derivatives that are not anymore in the set. page 75

An inductive definition: finite lists over a set A ℓ ∈ L a ∈ A nil ∈ L � a � • ℓ ∈ L 3 equivalent readings (in the “forward” direction): – The objects obtained with a finite proof from the rules – The smallest set closed forward under these rules A set T is closed forward if: – nil ∈ T – ℓ ∈ T implies � a � • ℓ ∈ T , for all a ∈ A Inductive proof technique for lists: Let T be a predicate (a property) on lists. To prove that T holds on all lists, prove that T is closed forward – (iterative construction) Start from ∅ ; add all objects as in the axiom; repeat adding objects following the inference rule forwards page 76

A coinductive definition: finite and infinite lists over A ℓ ∈ L a ∈ A nil ∈ L � a � • ℓ ∈ L 3 equivalent readings (in the “backward” direction) : – The objects that are conclusion of a finite or infinite proof from the rules – The largest set closed backward under these rules A set T is closed backward if ∀ t ∈ T : – either t = nil – or t = � a � • ℓ , for some ℓ ∈ T and a ∈ A Coinduction proof method: to prove that ℓ is a finite or infinite list, find a set D with ℓ ∈ D and D closed backward – X = all (finite and infinite) strings of A ∪ { nil , � , � , •} Start from X (all strings) and keep removing strings, following the backward-closure page 77

An inductive definition: convergence, in λ -calculus e ::= x | λx . e | e 1 ( e 2 ) Set of λ -terms (an inductive def!) Convergence to a value ( ⇓ ), on closed λ -terms, call-by-name: e 0 { e 2 x } ⇓ e ′ e 1 ⇓ λx . e 0 / λx . e ⇓ λx . e e 1 ( e 2 ) ⇓ e ′ As before, ⇓ can be read in terms of finite proofs, limit of an iterative construction, or smallest set closed forward under these rules ⇓ is the smallest relation S on (closed) λ -terms s.t. – λx . e S λx . e for all abstractions, x } S e ′ then also e 1 ( e 2 ) S e ′ . – if e 1 S λx . e 0 and e 0 { e 2 / page 78

A coinductive definition: divergence in the λ -calculus Divergence ( ⇑ ), on closed λ -terms, call-by-name: e 0 { e 2 e 1 ⇑ e 1 ⇓ λx . e 0 / x } ⇑ e 1 ( e 2 ) ⇑ e 1 ( e 2 ) ⇑ The ‘closed backward’ reading: ⇑ is the largest predicate on λ -terms that is closed backward under these rules; i.e., the largest subset D of λ -terms s.t. if e ∈ D then – either e = e 1 ( e 2 ) and e 1 ∈ D , – or e = e 1 ( e 2 ) , e 1 ⇓ λx . e 0 and e 0 { e 2 x } ∈ D . / Coinduction proof technique : to prove e ⇑ , find E ⊆ Λ closed backward and with e ∈ E What is the smallest predicate closed backward? page 79

The duality induction/coinduction page 80

Constructors/destructors – An inductive definition tells us what are the constructors for generating all the elements (cf: the forward closure). – A coinductive definition tells us what are the destructors for decomposing the elements (cf: the backward closure). The destructors show what we can observe of the elements (think of the elements as black boxes; the destructors tell us what we can do with them; this is clear in the case of infinite lists). page 81

Definitions given by means of rules – if the definition is inductive , we look for the smallest universe in which such rules live. – if it is coinductive , we look for the largest universe. – the inductive proof principle allows us to infer that the inductive set is included in a set (ie, has a given property) by proving that the set satisfies the forward closure ; – the coinductive proof principle allows us to infer that a set is included in the coinductive set by proving that the given set satisfies the backward closure . page 82

Forward and backward closures A set T being closed forward intuitively means that for each rule whose premise is satisfied in T there is an element of T such that the element is the conclusion of the rule. In the backward closure for T , the order between the two quantified entities is swapped: for each element of T there is a rule whose premise is satisfied in T such that the element is the conclusion of the rule. In fixed-point theory, the duality between forward and backward closure will the duality between pre-fixed points and post-fixed points. page 83

Congruences vs bisimulation equivalences Congruence : an equivalence relation that respects the constructors of a language Example ( λ -calculus) Consider the following rules, acting on pairs of (open) λ -terms: ( e 1 , e 2 ) ( e 1 , e 2 ) ( e 1 , e 2 ) ( x, x ) ( e e 1 , e e 2 ) ( e 1 e, e 2 e ) ( λx . e 1 , λx . e 2 ) A congruence: an equivalence relation closed forward under the rules The smallest such relation is syntactic equality : the identity relation In other words, congruence rules express syntactic constraints page 84

Bisimulation equivalence : an equivalence relation that respects the destructors Example ( λ -calculus, call-by-name) Consider the following rules e 1 ⇑ e 2 ⇑ e 1 , e 2 closed ( e 1 , e 2 ) 1 { e ′′ 2 { e ′′ e 1 ⇓ λx . e ′ e 2 ⇓ λx . e ′ ∪ e ′′ { ( e ′ x } , e ′ x } ) } / / e 1 , e 2 , e ′′ closed 1 2 ( e 1 , e 2 ) ∪ σ { ( e 1 σ, e 2 σ ) } e 1 , e 2 non closed, σ closing substitution for e 1 , e 2 ( e 1 , e 2 ) A bisimulation equivalence: an equivalence relation closed backward under the rules The largest such relation is semantic equality : bisimilarity In other words, the bisimulation rules express semantic constraints page 85

Substitutive relations vs bisimulations In the duality between congruences and bisimulation equivalences, the equivalence requirement is not necessary. Leave it aside, we obtaining the duality between bisimulations and substitutive relations a relation is substitutive if whenever s and t are related, then any term t ′ must be related to a term s ′ obtained from t ′ by replacing occurrences of t with s page 86

Bisimilarity is a congruence To be useful, a bisimilarity on a term language should be a congruence This leads to proofs where inductive and coinductive techniques are intertwined In certain languages, for instance higher-order languages, such proofs may be hard, and how to best combine induction and coinduction remains a research topic. What makes the combination delicate is that the rules on which congruence and bisimulation are defined — the rules for syntactic and semantic equality — are different. page 87

Summary of the dualities inductive definition coinductive definition induction proof principle coinduction proof principle constructors observations smallest universe largest universe ’forward closure’ in rules ’backward closure’ in rules congruence bisimulation equivalence substitutive relation bisimulation identity bisimilarity least fixed point greatest fixed point pre-fixed point post-fixed point algebra coalgebra syntax semantics semi-decidable set cosemi-decidable set strengthening of the candidate in proofs weakening of the candidate in proofs page 88

We have seen: – examples of induction and coinduction – 3 readings for the sets inductively and coinductively obtained from a set of rules – justifications for the induction and coinduction proof principles – the duality between induction and coinduction, informally page 89

Remaining questions – What is the definition of an inductive set? – From this definition, how do we derive the previous 3 readings for sets inductively and coinductively obtained from a set of rules? – How is the duality induction/coinduction formalised? What follows answers these questions. It is a simple application of fixed-point theory on complete lattices. To make things simpler, we work on powersets and fixed-point theory . (It is possible to be more general, working with universal algebras or category theory.) page 90

Complete lattices and fixed-points page 91

Complete lattices The important example of complete lattice for us: powersets . For a given set X , the powerset of X , written ℘ ( X ) , is def ℘ ( X ) = { T | T ⊆ X } ℘ ( X ) is a complete lattice because: – it comes with a relation ⊆ (set inclusion) that is reflexive, transitive, and antisymmetric. – it is closed under union and intersection ( ∪ and ∩ give least upper bounds and greatest lower bounds for ⊆ ) A partially ordered set (or poset ): a non-empty set with a relation on its elements that is reflexive, transitive, and antisymmetric. A complete lattice : a poset with all joins (least upper bounds) and (hence) also all meets (greatest lower bounds). page 92

Example of a complete lattice • • • • • • • • • • • • • • • • • • • • • • • • • Two points x, y are in the relation ≤ if there is a path from x to y following the directional edges (a path may also be empty, hence x ≤ x holds for all x ) page 93

A partially ordered set that is not a complete lattice a b c d e f Again, x ≤ y if there is a path from x to y page 94

The Fixed-point Theorem NB: Complete lattices are “dualisable” structures: reverse the arrows and you get another complete lattice. Similarly, statements on complete lattices can be dualised. For simplicity, we will focus on complete lattices produced by the powerset construction. But all statements can be generalised to arbitrary complete lattices Given a function F on a complete lattice: – F is monotone if x ≤ y implies F ( x ) ≤ F ( y ) , for all x, y . – x is a pre-fixed point of F if F ( x ) ≤ x . Dually, x is a post-fixed point if x ≤ F ( x ) . – x is a fixed point of F if F ( x ) = x (it is both pre- and post-fixed point) – The set of fixed points of F may have a least element, the least fixed point , and a greatest element, the greatest fixed point page 95

Theorem [Fixed-point Theorem] If F : ℘ ( X ) → ℘ ( X ) is monotone, then � { T | F ( T ) ⊆ T } lfp ( F ) = � gfp ( F ) = { T | T ⊆ F ( T ) } (the meet of the pre-fixed points, the join of the post-fixed points) NB: the theorem actually says more: the set of fixed points is itself a complete lattice, and the same for the sets of pre-fixed points and post-fixed points. page 96

Proof of the Fixed-point Theorem We consider one part of the statement (the other part is dual), namely � gfp ( F ) = { S | S ⊆ F ( S ) } Set T = � { S | S ⊆ F ( S ) } . We have to show T fixed point (it is then the greatest: any other fixed point is a post-fixed point, hence contained in T ) Proof of T ⊆ F ( T ) For each S s.t. S ⊆ F ( S ) we have: S ⊆ T (def of T as a union) F ( S ) ⊆ F ( T ) hence (monotonicity of F ) S ⊆ F ( T ) hence (since S is a post-fixed point) We conclude F ( T ) ⊇ � { S | S ⊆ F ( S ) } = T page 97

Proof of the Fixed-point Theorem We consider one part of the statement (the other part is dual), namely � gfp ( F ) = { S | S ⊆ F ( S ) } Set T = � { S | S ⊆ F ( S ) } . We have to show T fixed point (it is then the greatest: any other fixed point is a post-fixed point, hence contained in T ) Proof of F ( T ) ⊆ T We have T ⊆ F ( T ) (just proved) F ( T ) ⊆ F ( F ( T )) (monotonicity of F ) hence that is, F ( T ) is a post-fixed point Done, by definition of T as a union of the post-fixed points. page 98

Sets coinductively and inductively defined by F Definition Given a complete lattice produced by the powerset construction, and an endofunction F on it, the sets: � def F ind = { x | F ( x ) ⊆ x } � def F coind = { x | x ⊆ F ( x ) } are the sets inductively defined by F , and coinductively defined by F . By the Fixed-point Theorem, when F monotone: F ind = lfp ( F ) = least pre-fixed point of F F coind gfp ( F ) = = greatest post-fixed point of F page 99